After Virus, System Restore causes corrupt User profile

I

intellec7

New Member
I believe my computer got infected with a virus. Windows Defender detected "TrojanDwonlaoder:Win32/Bredolab.AA" and "Trojan:Win32/Hiloti.gen!D". It claims to have successfully removed these. I restart my computer. When I log on, I get Data Execution Protection notifications about Rundl32 and the like. I also notice that "flvencoder.exe" is running and consuming 30% CPU. I did install this program (Gmax FLV encoder) and perhaps it contained a virus (though the program worked). I also don't recall that it should have started upon logging on.

None of this really matters, I don't think. I did a System Restore to a point before I installed Gmax FLV encoder (3 days prior). The restore completes successfully. Upon logging into my account, I get see the "Preparing Desktop" message and know that this is not good news. My user profile was not loaded. All of the data is there though.

What I first tried to do was logging into Safe Mode, and setting the reg. keys such that my old profile is loaded instead of a temporary one. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\
contains keys corresponding to each profile. The one corresponding to my now corrupt profile contains has ".bak" appended to it in the key name. I renamed this to remove the appendage and changed the value of the "State" key from 0x80 to 0x00. I try rebooting the machine and logging into this account, but yet another temporary profile is created. I also tried undoing the System Restore, but a temporary profile is still loaded.

I experienced these similar symptoms many months ago about 3 weeks after first installing getting this computer (Visa pre-installed). A hardware driver was causing many BSODs and spontaneous shutdowns. This managed to corrupt my user profile and I had to create a new one and manually transfer settings (thankfully I understand how most of my programs store profiles in AppData). When this happened many months ago, I tried creating new user profiles and pointing to the files from the corrupt one, but this never worked.

For this time around, the Event Viewer shows, under "Windows Logs/Application":
Warning User Profile Service: "Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on."

immediately followed by

Warning User Profile Service: "Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off."


Finally my question:
Is there a convenient way to fix the corrupt profile? Was it System Restore that botched it up? Can I get Windows to tell me what the specific issue is?

and

What is the best way to transfer Windows settings (like Folder view options, keyboard layouts, and other settings that I don't really remember). I could do this manually, but I don't mind refining my IT skills with Windows (which I wish were better documented for this low-level stuff.)

Further Information: Since this has happened to me twice, I wonder if my setup is particularly prone. Therefore, I must tell you that I have a symbolic link at C/Users/<profile name> to a separate partition where the actual User Profile resides.

Thank you very much for any advice!
 

My Computer

System One

Do you have a Vista installation disc?
 

My Computer

System One

  • Manufacturer/Model
    Build #1
    CPU
    Intel Core i7 3770K @4.4GHz
    Motherboard
    ASUS P8Z77-V PRO
    Memory
    Corsair Vengeance 2x4GB DDR3 1600MHz Low Profile (White)
    Graphics Card(s)
    Gigabyte Radeon HD 7850 (2GB GDDR5)
    Sound Card
    Integrated on motherboard
    Monitor(s) Displays
    23" LG LCD/LED IPS
    Screen Resolution
    1920*1080
    Hard Drives
    Samsung EVO 128GB SSD
    Seagate Barracuda 2TB 7200rpm
    2x500GB Seagate FreeAgent 5400rpm
    PSU
    Corsair TX650W V2 (80+ Bronze)
    Case
    NZXT Phantom 410
    Cooling
    Corsair H100 Water Cooler, 1x140mm and 1x120mm stock fans
    Keyboard
    Microsoft Desktop 2000 Wireless Keyboard
    Mouse
    Microsoft Desktop 2000 Wireless Mouse
    Internet Speed
    95 Mb/s Download 70 Mb/s Upload
Welcome,

The best way to transfer things like folder view, cookies, favorites, passwords etc is windows easy transfer.

If you use the easy transfer for Vista, you should be able to trasfer to a finger drive, etc. Then back to Windows 7.
http://windows.microsoft.com/en-US/windows7/products/features/windows-easy-transfer


Make a test run first to be sure. In addition, be very, very sure that all traces of the virus are gone. You do not want to take the change of transferring the badies to the new installation.
 
Last edited:

My Computer

System One

  • Manufacturer/Model
    Dell XPS420
    Memory
    6 gig
    Graphics Card(s)
    ATI Radeon HD3650 256 MB
    Sound Card
    Intergrated 7.1 Channel Audio
    Monitor(s) Displays
    Dell SP2009W 20 inch Flat Panel w Webcam
    Hard Drives
    640 gb
    Cooling
    Fan
    Keyboard
    Dell USB
    Mouse
    Dell USB 4 button optical
    Other Info
    DSL provided by ATT
Thanks for the reply.

I do have a Vista installation CD along with the recovery partition on my Dell laptop. Please tell me what you are suggesting.

I cannot log on to my actual profile, so I don't imagine that the Easy Transfer application will be helpful.

For prosperity:

It turns out that my issue was related to the NTUSER.dat and corresponding log files in my profile. If I create a new account and keep its NTUSER.dat and move all other files from my profile, then I am able to get a semi-decent restoration.

Semi-decent because: all Windows settings are lost (Folder view options, startup options). This is because NTUSER.dat stores all of a user's registry settings. This is what I actually wanted to move from one profile to the other. Everything else are just program-specific files, or things like the start menu.

Additionally, I experienced some (severe) other issues. I could not list my Network connections. Registering DLLs fixed this problem, but only intermittently. I haven't looked around much more, but I imagine there is similar damage elsewhere. It is possible that this be related to the virus.

It is a shame that System Restore couldn't do a better job with restoring NTUSER.dat since I had a ton of restore points before the likely infection time.
 

My Computer

System One

intellec7 said:
Thanks for the reply.

I do have a Vista installation CD along with the recovery partition on my Dell laptop. Please tell me what you are suggesting.

I cannot log on to my actual profile, so I don't imagine that the Easy Transfer application will be helpful.

For prosperity:

It turns out that my issue was related to the NTUSER.dat and corresponding log files in my profile. If I create a new account and keep its NTUSER.dat and move all other files from my profile, then I am able to get a semi-decent restoration.

Semi-decent because: all Windows settings are lost (Folder view options, startup options). This is because NTUSER.dat stores all of a user's registry settings. This is what I actually wanted to move from one profile to the other. Everything else are just program-specific files, or things like the start menu.

Additionally, I experienced some (severe) other issues. I could not list my Network connections. Registering DLLs fixed this problem, but only intermittently. I haven't looked around much more, but I imagine there is similar damage elsewhere. It is possible that this be related to the virus.

It is a shame that System Restore couldn't do a better job with restoring NTUSER.dat since I had a ton of restore points before the likely infection time.
Click to expand...

I was wondering whether it would be a viable option to reinstall Windows (or repair it)
 

My Computer

System One

  • Manufacturer/Model
    Build #1
    CPU
    Intel Core i7 3770K @4.4GHz
    Motherboard
    ASUS P8Z77-V PRO
    Memory
    Corsair Vengeance 2x4GB DDR3 1600MHz Low Profile (White)
    Graphics Card(s)
    Gigabyte Radeon HD 7850 (2GB GDDR5)
    Sound Card
    Integrated on motherboard
    Monitor(s) Displays
    23" LG LCD/LED IPS
    Screen Resolution
    1920*1080
    Hard Drives
    Samsung EVO 128GB SSD
    Seagate Barracuda 2TB 7200rpm
    2x500GB Seagate FreeAgent 5400rpm
    PSU
    Corsair TX650W V2 (80+ Bronze)
    Case
    NZXT Phantom 410
    Cooling
    Corsair H100 Water Cooler, 1x140mm and 1x120mm stock fans
    Keyboard
    Microsoft Desktop 2000 Wireless Keyboard
    Mouse
    Microsoft Desktop 2000 Wireless Mouse
    Internet Speed
    95 Mb/s Download 70 Mb/s Upload
Open up command prompt (Type cmd in the start menu search box and hit return)
Then type:

sfc /scannow

Let it run, and let us know if it detects anything.
 

My Computer

System One

  • Manufacturer/Model
    Build #1
    CPU
    Intel Core i7 3770K @4.4GHz
    Motherboard
    ASUS P8Z77-V PRO
    Memory
    Corsair Vengeance 2x4GB DDR3 1600MHz Low Profile (White)
    Graphics Card(s)
    Gigabyte Radeon HD 7850 (2GB GDDR5)
    Sound Card
    Integrated on motherboard
    Monitor(s) Displays
    23" LG LCD/LED IPS
    Screen Resolution
    1920*1080
    Hard Drives
    Samsung EVO 128GB SSD
    Seagate Barracuda 2TB 7200rpm
    2x500GB Seagate FreeAgent 5400rpm
    PSU
    Corsair TX650W V2 (80+ Bronze)
    Case
    NZXT Phantom 410
    Cooling
    Corsair H100 Water Cooler, 1x140mm and 1x120mm stock fans
    Keyboard
    Microsoft Desktop 2000 Wireless Keyboard
    Mouse
    Microsoft Desktop 2000 Wireless Mouse
    Internet Speed
    95 Mb/s Download 70 Mb/s Upload
I don't think a system restore is going to get rid of the Trojan:

TrojanDownloader:Win32/Bredolab.AA is a trojan that downloads and executes other malware from a remote server.
Click to expand...
You are still infected and your computer has been compromised.

Do this first, change all your passwords using a clean computer ... not the infected one!

Flush your DNS cache and restore MS's original hosts file:
Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Right click on the bat file and run as Administrator. Your computer will reboot itself.

Now see if Malwarebytes' Anti-Malware will remove it. You may need to download it using a clean computer and copy it to a CD

download Malwarebytes' Anti-Malware to your desktop
|MG| Malwarebytes Anti-Malware 1.46 Download
* Right click , run as Administrator-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply.
 

My Computer

System One

  • Manufacturer/Model
    Bruce ... somewhere in his 40's
    CPU
    Intel(R) Core(TM)2 Quad CPU
    Motherboard
    INTEL/D975XBX2
    Memory
    4 GB
    Graphics Card(s)
    ATI Radeon HD 2600 Pro
    Monitor(s) Displays
    Samsung SyncMaster 914v
    Screen Resolution
    1280 x 1024
    Hard Drives
    2/500GB each ... ST3500630AS ATA Device.
    One is not connected
    PSU
    Rocketfish 700 W
    Case
    G.Skill Gigabyte Chassis
    Keyboard
    Standard PS/2 Keyboard
    Mouse
    Microsoft PS/2 Mouse
    Internet Speed
    DSL
    Other Info
    ATI HDMI Audio
I would also recommend using a boot scanner if everything else doesnt work.

AVG rescue cd is a good one.
 

My Computer

System One

  • Manufacturer/Model
    Hp pavillion a6110n
    CPU
    amd athlon 64 x2 live! 4400+
    Memory
    4 gigs 3.3 useable
    Graphics Card(s)
    Finally! SAPPHIRE 100283L Radeon HD 5770 (Juniper XT) 1GB 12
    Monitor(s) Displays
    generic pnp monitor
    Screen Resolution
    1280x1024
    Hard Drives
    7.2k rpm
    1 linux ubuntu partition
    1 vista partition
    1recovery partition
    1 windows 7 partition
    1linux swap partition
    PSU
    500W, antc earthwatts EA500
    Case
    normal black case
    Cooling
    fans
    Keyboard
    saitek cyborg gaming keyboard
    Mouse
    logitech mouse (small to fit hand perfectly)
    Internet Speed
    dsl
    Other Info
    2.3 ghz amd
Hi all. I appreciate the replies, but I am not asking for advice about removing malware. My hosts file is intact and my system is fine as far as I know. For the record, that batch file assumes that the current working directory is on the same drive as the Windows directory,C:\, which might not work in all configurations.

Reinstalling Windows Vista will not fix the problem because the problem involves personal user preferences in NTUSER.dat

I will try the sfc /VERIFYONLY command. It seems promising. Thanks for mentioning it!
 

My Computer

System One

Let us know how it goes for you :)
 

My Computer

System One

  • Manufacturer/Model
    Bruce ... somewhere in his 40's
    CPU
    Intel(R) Core(TM)2 Quad CPU
    Motherboard
    INTEL/D975XBX2
    Memory
    4 GB
    Graphics Card(s)
    ATI Radeon HD 2600 Pro
    Monitor(s) Displays
    Samsung SyncMaster 914v
    Screen Resolution
    1280 x 1024
    Hard Drives
    2/500GB each ... ST3500630AS ATA Device.
    One is not connected
    PSU
    Rocketfish 700 W
    Case
    G.Skill Gigabyte Chassis
    Keyboard
    Standard PS/2 Keyboard
    Mouse
    Microsoft PS/2 Mouse
    Internet Speed
    DSL
    Other Info
    ATI HDMI Audio
You must log in or register to reply here.
Back
Top